Closed Bug 717171 Opened 8 years ago Closed 3 years ago

Crash @ js::ContextStack::currentScript

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

It's a low volume crash but there's a spike in crashes, mainly on startup, that started in 12.0a1/20120110.
The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cf8c9f9aeefc&tochange=c713003d3226

Signature 	js::ContextStack::currentScript(unsigned char**) More Reports Search
UUID	e0cc8410-ae67-4a4c-8627-7a4af2120110
Date Processed	2012-01-10 10:27:31.649516
Uptime	8
Last Crash	15 seconds before submission
Install Age	4.4 minutes since version was first installed.
Install Time	2012-01-10 18:23:22
Product	Firefox
Version	12.0a1
Build ID	20120110031111
Release Channel	nightly
OS	Windows NT
OS Version	6.0.6002 Service Pack 2
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 15 model 107 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xfffffffffffff000
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x03d0, AdapterSubsysID: 2a5a103c, AdapterDriverVersion: 7.15.11.7521
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers-
EMCheckCompatibility	False

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::ContextStack::currentScript 	js/src/vm/Stack-inl.h:676
1 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5488
2 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:208
3 	mozjs.dll 	js::Wrapper::get 	js/src/jswrapper.cpp:230
4 	mozjs.dll 	js::Proxy::get 	js/src/jsproxy.cpp:837
5 	mozjs.dll 	proxy_GetProperty 	js/src/jsproxy.cpp:1039
6 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:205
7 	mozjs.dll 	js::Wrapper::get 	js/src/jswrapper.cpp:230
8 	mozjs.dll 	js::Proxy::get 	js/src/jsproxy.cpp:837
9 	mozjs.dll 	proxy_GetProperty 	js/src/jsproxy.cpp:1039
10 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:205
11 	mozjs.dll 	js::Wrapper::get 	js/src/jswrapper.cpp:230
12 	mozjs.dll 	js::CrossCompartmentWrapper::get 	js/src/jswrapper.cpp:600
13 	mozjs.dll 	js::Proxy::get 	js/src/jsproxy.cpp:837
14 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5488
15 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:208
16 	mozjs.dll 	js::NameOperation 	js/src/jsinterpinlines.h:421
17 	mozjs.dll 	js::mjit::stubs::Name 	js/src/methodjit/StubCalls.cpp:129
18 	xul.dll 	xpc::WrapperFactory::PrepareForWrapping 	js/xpconnect/wrappers/WrapperFactory.cpp:241
19 		@0x59c0207 	
20 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1051
21 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1121
22 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:472
23 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:538
24 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:570
25 	mozjs.dll 	js::ProxyHandler::call 	js/src/jsproxy.cpp:303
26 	mozjs.dll 	js::Wrapper::call 	js/src/jswrapper.cpp:262
27 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:715
28 	mozjs.dll 	js::Proxy::call 	js/src/jsproxy.cpp:878
29 	mozjs.dll 	proxy_Call 	js/src/jsproxy.cpp:1389
30 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:513
31 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:570
32 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5455
33 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1528
34 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:611
35 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:117
36 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:144
37 	xul.dll 	nsTraversal::TestNode 	content/base/src/nsTraversal.cpp:92

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned%20char**%29
Crash Signature: [@ js::ContextStack::currentScript(unsigned char**)]
It's #2 top crasher in 12.0a1 over the last 3 days.
Keywords: topcrash
My nightly has been crashing since 20110110 build
Thought it was the addon issue...
It is working fine in Safe Mode

Is there any info need to provide to better trace and fix this bug?
(In reply to Rumos Mok from comment #2)
> It is working fine in Safe Mode

Then it sounds like an add-on, yes. You could try and disable add-ons one by one to figure out which one is connected to this crash.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #3)
> (In reply to Rumos Mok from comment #2)
> > It is working fine in Safe Mode
> 
> Then it sounds like an add-on, yes. You could try and disable add-ons one by
> one to figure out which one is connected to this crash.

Of course I have tried to disable all addon and re-enable them one by one
I thought I have found that bad addon, so I go ahead and disable it, thought it would help solve the problem
And Nightly crashes in 1 minute after restarting...


Disabling remaining addon still makes my nightly crash...

So I go ahead and create a new profile, install the addons that I needed, browse for a while, and... crash again

Just tried on the 20110117 nightly, still crashing.
https://crash-stats.mozilla.com/report/index/bp-a7128514-d4b5-46be-a114-0ce842120117
The same profile runs pretty good on nightly builds before 20110110, as well as Aurora
Safe mode also disables the JITs. Seems more likely to be what's crashing.
Any way to check if JIT is causing the crash?
Go into about:config. Set the following two values to false and restart the browser:
javascript.options.methodjit.chrome
javascript.options.methodjit.content
(In reply to Ryan VanderMeulen from comment #7)
> Go into about:config. Set the following two values to false and restart the
> browser:
> javascript.options.methodjit.chrome
> javascript.options.methodjit.content

Seems it has stopped the crash
(In reply to Rumos Mok from comment #8)
> (In reply to Ryan VanderMeulen from comment #7)
> > Go into about:config. Set the following two values to false and restart the
> > browser:
> > javascript.options.methodjit.chrome
> > javascript.options.methodjit.content
> 
> Seems it has stopped the crash

an update:
no crash if methodjit.chrome and methodjit.content is set to "false"
no crash if methodjit.chrome is true and methodjit.content is set to "false"
crash if methodjit.content is set to "true"
(In reply to Rumos Mok from comment #9)
> an update:
> no crash if methodjit.chrome and methodjit.content is set to "false"
> no crash if methodjit.chrome is true and methodjit.content is set to "false"
> crash if methodjit.content is set to "true"

So that means it's probably a we page that is causing this and not our own UI - web stuff is "content", our UI is "chrome". Also, it's crashing in the JIT.

I wonder if TypeInference is involved, not sure if we have that on for both chrome and content by default - I know we have it on for content at least, but it might be just on generally.

Could you try with both methodjit preferences on and setting javascript.options.typeinference to false? That can help us narrow it down even more.

Also, I wonder if your processor supports SSE2, as we fixed problems in development recently that had to do with non-SSE-supporting CPUs.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #10)
> (In reply to Rumos Mok from comment #9)
> > an update:
> > no crash if methodjit.chrome and methodjit.content is set to "false"
> > no crash if methodjit.chrome is true and methodjit.content is set to "false"
> > crash if methodjit.content is set to "true"
> 
> So that means it's probably a we page that is causing this and not our own
> UI - web stuff is "content", our UI is "chrome". Also, it's crashing in the
> JIT.
> 
> I wonder if TypeInference is involved, not sure if we have that on for both
> chrome and content by default - I know we have it on for content at least,
> but it might be just on generally.
> 
> Could you try with both methodjit preferences on and setting
> javascript.options.typeinference to false? That can help us narrow it down
> even more.
> 
> Also, I wonder if your processor supports SSE2, as we fixed problems in
> development recently that had to do with non-SSE-supporting CPUs.

Disabling TI still results in a crash
And CPU in both my home desktop and office desktop supports SSE2
I'm not completely sure if it's the same issue, but I can reliably reproduce a crash with a signature of @ js::ContextStack::currentScript(unsigned char**) with these steps:

1) Open a new tab
2) Open the web console
3) Paste this JavaScript code into it and run it:
window.onresize = function () {console.log(getComputedStyle(document.body).width)}
4) resize the window

=> crash bp-e981ddf2-6787-40ce-a840-0c3312120123
(In reply to Andreas Jung from comment #12)
> I'm not completely sure if it's the same issue, but I can reliably reproduce
> a crash
I can't reproduce it in 32-bit and 64-bit builds.
Does it happen with a new profile?
Not reproducible in
Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120123 Firefox/12.0a1

Still reproducible in
Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120122 Firefox/12.0a1
(In reply to Andreas Jung from comment #14)
> Not reproducible in
> Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120123 Firefox/12.0a1
There are no crashes in 12.0a1/20120123.
The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=244711942710&tochange=758005504cab
Finally, there's one crash in 12.0a1/20120123:
bp-6f36a020-91ec-476a-9702-4003a2120125
But it has a different stack.
We're getting the same issue when running the application we developed. Here is a couple of crash reports.

https://crash-stats.mozilla.com/report/index/bp-64fa6dfd-4561-4447-90f4-2d66c2120227
https://crash-stats.mozilla.com/report/index/bp-71e0f424-a360-40a9-98bd-8279c2120222
https://crash-stats.mozilla.com/report/index/bp-78d23a8f-88bc-4155-810c-f2bf42120220

This setting is irrelevant:
javascript.options.tracejit.chrome

Firefox crashes if I got both this options set to True:
javascript.options.tracejit.content
javascript.options.typeinference

If at least one of them is false, then everything is fine.

It is not related to a particular computer. It occurs on Windows and on Linux. It has been introduced in Firefox v10 and is still present in v10.2, as well as in 11.b4.
It doesn't occur however in today's nightly build 13.0a1 (2012-02-26)

Could someone predict which release will have this fix? Is it possible to include this fix to the next release of v11 or v10.3?

Thank you!
Sorry, I was talking about v12 alpha:12.0a1 (2012-02-26)
I mean it is fixed in 12.0a1 (2012-02-26), but still occurs in v10.2 and v11.b4
I see one of these in 12a2 for build id 20120228042013. I am going to leave it open for now and see what happens after the next cutover. I don't think it's a top crash anymore though.
Keywords: topcrash
no crashes starting in TB15 for
fs::ContextStack::currentScript(unsigned char**) 

(In reply to Sheila Mooney from comment #20)
> I see one of these in 12a2 for build id 20120228042013. I am going to leave
> it open for now and see what happens after the next cutover. I don't think
> it's a top crash anymore though.

can you still reproduce?
Flags: needinfo?(rumosmok)
It still happens at a low volume:
* 192 crashes in 22.0
* 11 crashes in 23.0b9

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned+char**%2C+js%3A%3AContextStack%3A%3AMaybeAllowCrossCompartment%29
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned+char**%2C+js%3A%3AContextStack%3A%3AMaybeAllowCrossCompartment%29+const
Crash Signature: [@ js::ContextStack::currentScript(unsigned char**)] → [@ js::ContextStack::currentScript(unsigned char**)] [@ js::ContextStack::currentScript(unsigned char**, js::ContextStack::MaybeAllowCrossCompartment) ] [@ js::ContextStack::currentScript(unsigned char**, js::ContextStack::MaybeAllowCrossCompartment) co…
OS: Windows 7 → All
Hardware: x86 → All
Assignee: general → nobody
Crash Signature: , js::ContextStack::MaybeAllowCrossCompartment) const ] → , js::ContextStack::MaybeAllowCrossCompartment) const ] [@ js::ContextStack::currentScript] [@ js::ContextStack::currentScript const ]
no crashes for current versions, and Sheila hasn't replied
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(rumosmok)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.